Flows? IDS? The bugs in the rug of NMS.
I’ve been focused primarily on network flows (using argus) and after having the data for weeks, reviewing the contents, I ended up sighing and saying “what am I supposed to do with all this lovely data?”
I’ve been too focused on the bug in the rug that is network flows, when I should have stepped back far enough to see the rug, actually seeing where network flows lay within a network security monitoring architecture. Duh!
I was in the midst of writing a laundry list of features included in a few IDS systems, focusing on creating an NSM, but after a short romp in the NSMwiki and sguil docs, I came across a sample chapter from Richard Bejtlich’s book The Tao of Network Security Monitoring: Beyond Intrusion Detection (which is in my amazon wishlist *cough*cough*) discussing sguil, formally titled “Why Sguil Is the Best Option for Network Security Monitoring Data“. It analyzes a variety of solutions and where they fit to solve problems presented.
Richard clearly focuses on why using Sguil is the best solution, and lists downfalls of several other applications that are used to cover similar things.
Richard also wrote up how to install the sguil TCL/TK client on a Windows box, and there is also an entry on the NSMwiki which makes sure you’re using the latest TLS module.
Note that the required ActiveTcl version, 8.4.X, is available on the main download page, just scroll down.
Did I waste time on argus? Nope, I gained a lot of knowledge and argus is commonly used to complement sguil to provide more context to alerts. I do still have my supreme goal of using d3js to render argus data, so keep an eye out.